Wednesday, January 21, 2015

How to delete/eliminate the "conduit search malware"

Understanding how Process Explorer’s dialogs and options work is all
fine and good, but what about using it for some actual troubleshooting
or to diagnose a problem? Today’s Geek School lesson will try and help
you learn how to do just that.

Not that long ago, we started investigating all sorts of malware and
crapware that gets installed automatically any time you don’t pay
attention while installing software. Nearly every piece of freeware on
the market, including the “reputable” ones, are bundling toolbars,
search hijacking awfulness, or adware, and some of it is hard to
troubleshoot.
We’ve seen many computers from people that we know that have so much
spyware and adware installed that the PC barely even loads anymore.
Trying to load the web browser, especially, is nearly impossible, as all
of the adware and tracking software competes for resources to steal
your private information and sell it to the highest bidder.
So naturally, we wanted to do a bit of investigation into how some of
these work, and there’s no better place to start than the Conduit
Search malware that has claimed hundreds of millions of computers
worldwide. This nefarious awfulness hijacks your search engine in your
browser, changes your home page, and most annoyingly, it takes over your
New Tab page no matter what your browser is set to.
We’ll start with looking at that, and then we’ll show you how to use
Process Explorer to troubleshoot errors that talk about locked files and
folders that are in use.
And then we’ll round it out with another look at how some adware
these days are hiding themselves behind Microsoft processes so they
appear legit in Process Explorer or Task Manager, even though they
really aren’t.

Investigating the Conduit Search Malware

As we mentioned, the Conduit search hijacker is one of the most
persistent, awful, and terrible things that nearly every one of your
relatives probably has on their computer. They bundle their software in
shady ways with any freeware they can, and in many instances, even if
you select to opt-out, the hijacker will still be installed.
Conduit installs what they call “Search Protect”, which they claim
prevents malware from making changes to your browser. What they don’t
mention is that it also prevents you from making any changes to their
browser unless you use their Search Protect panel to make those changes,
which most people won’t know about since it’s buried in the system
tray.
Not only will Conduit redirect all of your searches to their own
custom Bing page, it will set that as your home page. One would have to
assume that Microsoft is paying them for all this traffic to Bing,
since they are also passing some ?pc=conduit type of arguments in the query string.Fun fact: the company behind this piece of garbage is worth 1.5
Billion dollars and JP Morgan invested $100 million into them. Being
evil is profitable.

Conduit Hijacks the New Tab Page… But How?

Hijacking your search and home page is trivial for any malware — this
is where Conduit steps up the evil and somehow rewrites the New Tab
page to force it to show Conduit, even if you change every single
setting.
You can uninstall all of your browsers, or even install a browser you
didn’t have installed before, like Firefox or Chrome, and Conduit will
still manage to hijack the New Tab page.

Somebody should be in jail, but they are probably on a yacht.

It doesn’t take much in terms of geek skills to eventually deduce
that the problem is the Search Protect application running in the system
tray. Kill that process, and suddenly your new tabs open just the way
the browser maker intended.
But how, exactly, does it do this? There are no add-ons or extensions
installed into any of the browsers. There aren’t any plugins. The
registry is clean. How do they do it?
This is where we turn to Process Explorer to do some investigation.
First, we’ll find the Search Protect process in the list, which is easy
enough because it is properly named, but if you weren’t sure, you can
always open up the window and use the little bulls-eye icon next to the
binoculars to figure out which process belongs to a window.
Now you can simply select the appropriate process, which in this case
was one of the three that run automatically by the Windows Service that
Conduit installs. How did I know that it was a Windows Service that
restarts it? Because the color of that row is pink, of course. Armed
with that knowledge, I could always go stop or delete the service
(though in this particular case, you can simply uninstall from Uninstall
Programs in Control Panel).
Now that you’ve selected the process, you can use the CTRL + H or
CTRL + D shortcut keys to open the Handles view or the DLLs view, or you
can use the View -> Lower Pane View menu to do it.

Note: in the world of Windows, a “handle” is an
integer value that is used to uniquely identify a resource in memory
like a window, an open file, a process, or many other things. Each open
application window on your computer has a unique “window handle”, for
example, that can be used to reference it.
DLLs, or dynamic link libraries, are shared pieces of compiled code
that are stored in a separate file to be shared among multiple
applications. For instance, instead of having every application write
their own File Open / Save dialogs, all applications can simply use the
common dialog code provided by Windows in the comdlg32.dll file.

Looking through the list of handles for a few minutes brought us a
little bit closer to what was going on, because we found handles to
Internet Explorer and Chrome, both of which are currently open on the
test system. We’ve definitely confirmed that Search Protect is doing
something to our open browser windows, but we’ll need to do a little
more research to figure out exactly what.
The next thing to do is double-click the process in the list to open
up the details view, and then flip over to the Image tab, which will
give you information about the full path to the executable, the command
line, and even the working folder. We’ll click the Explore button to
take a look at the installation folder and see what else is hiding
there.
Interesting! We’ve found a number of DLL files here, but for some
weird reason none of these DLL files were listed in the DLL view for the
Search Protect process when we were looking at it earlier. This could
be a problem.

Any time you want to see whether a DLL file is currently being used
by any application on your system, you can pop up the search pane by
going to the Find menu, hitting CTRL + F, or just clicking the
binoculars icon on the toolbar. Now type in part of the name of the DLL,
or even the full name if you’d like.
We chose to search for just the beginning, “SPVC”, since that was the
common tie between them all, and sure enough, it looks like those DLLs
are being loaded directly into each of the browser processes running on
our computer.
Clicking on one of the items in the list and switching over to the
Threads page confirmed what we were worried about. Both Chrome and
Internet Explorer were running threads using the SPVC32.dll or
SPVC64.dll files from the Search Protect malware, and this is how they
were hijacking our new tab page — not by changing settings, but by
hijacking the browser from within.

Note: In Windows, a thread is what the operating
system allocates processor time to run. A process in Windows is what
we’re used to thinking of as geeks and system admin types, but
technically threads are actually the only thing that runs in Windows,
not processes. Certain processes may have only one thread of execution,
but others may have many threads that are all running separately from
one another, usually communicating with some sort of in-process
communication mechanism.

You can also double-click on any of the threads to see the full
execution stack, which can be useful to see what functions are being
called and attempt to figure out what the problem is.
You might be wondering how the Search Protect application managed to
get Google Chrome to load that DLL, and the answer is that Windows
provides a feature called DLL Injection. A process can inject a DLL into
another process, and then hijack certain API functions. This is how
certain applications override Windows features or features in other
applications. It’s a very complicated subject that we definitely can’t
get into in this lesson, but if you really want to read more, you can check out this guide.
It’s also worth noting that you can see the CPU usage per thread by
digging into this level of details, which can be very useful when
troubleshooting an application that has plugins. You could use this to
figure out that a particular DLL file is taking up too much of the
processor time, and then do some research on what that component belongs
to.

Dealing with Locked Files or Folders

Since it’s unlikely that you’ll be investigating malware all the
time, it’s also helpful to use Process Explorer for other tasks, like
dealing with those “In Use” dialogs that you can any time you try to
delete or move or modify a file or folder that is being used by another
process, especially when you aren’t sure what process is locking it up.
When you get an error like that one, just head over to Process
Explorer, open up the search with CTRL + F or the icon, and then type in
the name of the folder listed above (or more descriptive full path if
the name is very vague).
You’ll very quickly see a process in the list that has your file or
folder open, and you can double-click on it to identify the process in
the list.
Your immediate reaction might be to just close that process, but you
don’t necessarily have to do that. You can also right-click on the file
or folder in the list of handles (Use the CTRL + H option to bring up
the Handles list) and choose the Close Handle option. That resource is
now unlocked!Note: If you’re deleting something, this is a perfectly fine
option, but if you are just trying to edit or move that item, you
should probably open the offending application and deal with it there so
you don’t lose any data.

Researching Processes that Look Safe but Aren’t

During our malware research we’ve noticed another problem that is
becoming more prevalent, so it is wise to keep an eye on it in the
future. What is that problem? Malware is hiding behind legitimate
Windows processes, and it’s doing a good job.
The problem is the Windows rundll32.exe utility, which can be used to
arbitrarily run functions from DLL files. Since this utility is signed
by Microsoft it shows up as a completely legit process in the list, but
in reality what they are doing is just moving all of their malware /
adware code into a .DLL file instead of a .EXE file, and then loading up
the malware with rundll32.exe instead. In fact, if you see rundll32.exe
running as an “own process” in the light blue color shown below, it’s
nearly always something that shouldn’t be running.
In the example below, you can see that even though we used the
Verified Signer feature to validate that item, when we hover over it and
look at the full path, it is actually loading up a DLL that turns out
to be part of an adware product.Note: before you start screaming about running an anti-virus
scan, we’ll note that we did, and it didn’t come back with anything.
Much of this crapware, adware, and spyware is ignored by anti-virus
utilities.
Double-clicking to open up the details shows more of the problem, and
we can also see the directory that the badware is running out of, which
we’ll use to investigate further.
Inside that directory we found a number of files that were being updated constantly in the background.
The rest of the investigation led into some other tools that weren’t
SysInternals, and that we’ll probably cover at a later date, but suffice
it to say that this is just a piece of malware that was running in
conjunction with another crapware application.
The important point here is that malware is able to hide itself
behind legitimate Windows executables, so be sure to keep your eyes
peeled for anything similar.

Coming Up Next

Stay tuned tomorrow for even more SysInternals knowledge, as we show
you how to use the Process Monitor utility to track what applications
are actually doing behind the scenes. It’ll be eye-opening.

Live Blitz

Search This Blog

To become a strong chess player; buy chess programs in the beginning stages of preparation of one; will increase the force level to a higher and faster than the average level of the chess player who often performed by old and outdated methods.

This site has been created based on the web content compiled and some other written sources. This has been placed in good faith and are not intended to infringe any intellectual property or copyright of any person or organization. In the event that for any reason this occurs, appropriate action will be made.

Notwithstanding the provisions of sections 106 and 106A,the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is a fair use the factors to be considered shall include—

(1) the purpose and character of the use, including whether such use is of a commercial nature or is for nonprofit educational purposes;

(2) the nature of the copyrighted work;

(3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole; and

(4) the effect of the use upon the potential market for or value of the copyrighted work.

The fact that a work is unpublished shall not itself bar a finding of fair use if such finding is made upon consideration of all the above factors.